Configuring IPv6 First Hop Security
Guidelines and Limitations of IPv6 RA Guard
The guidelines and limitations of IPv6 RA Guard are as follows:
• The IPv6 RA Guard feature does not offer protection in environments where IPv6 traffic is tunneled.
• This feature is supported only in hardware when the ternary content addressable memory (TCAM) is
• This feature can be configured on a switch port interface in the ingress direction.
• This feature supports host mode and router mode.
• This feature is supported only in the ingress direction; it is not supported in the egress direction.
• This feature is supported on auxiliary VLANs and private VLANs (PVLANs). In the case of PVLANs,
• Packets dropped by the IPv6 RA Guard feature can be spanned.
DHCPv6 Guard
Overview of DHCP DHCPv6 Guard
The DHCPv6 Guard feature blocks DHCP reply and advertisement messages that originate from unauthorized
DHCP servers and relay agents that forward DHCP packets from servers to clients. Client messages or messages
sent by relay agents from clients to servers are not blocked. The filtering decision is determined by the device
role assigned to the receiving switch port, trunk, or VLAN. This functionality helps to prevent traffic redirection
or denial of service (DoS).
Packets are classified into one of the three DHCP type messages. All client messages are always switched
regardless of device role. DHCP server messages are only processed further if the device role is set to server.
Further processing of DHCP server advertisements occurs for server preference checking.
If the device is configured as a DHCP server, all the messages need to be switched, regardless of the device
role configuration.
Limitation of DHCPv6 Guard
The guidelines and limitations of DHCPv6 Guard are as follows:
• If a packet arriving from DHCP server is a Relay Forward or a Relay Reply, only the device role is
programmed.
primary VLAN features are inherited and merged with port features.
checked. In addition, IPv6 DHCP Guard doesn't apply the policy for a packet sent out by the local relay
agent running on the switch.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
Guidelines and Limitations of IPv6 RA Guard
375